Kodi Foundation Discloses Data Breach and Plans Password Reset

IT Services has learned that the Kodi Foundation has suffered a data breach after hackers stole the organization’s MyBB forum database, containing user data and private messages, and attempted to sell it online. Kodi is a cross-platform open-source media player, organizer, and streaming suite that supports a vast array of third-party add-ons, enabling users to access content from various sources or customize their experience. The now-shut down Kodi forum had roughly 401,000 members who used it to discuss media streaming, exchange tips, offer support, share new add-ons, and more in 3 million posts.

According to an announcement published by the platform on Saturday, hackers stole the forum database by logging into the Admin console using an inactive staff member’s credentials. Once they gained access to the admin panel, they created and downloaded database backups multiple times in 2023. Kodi’s admin logs show that the account of a trusted but currently inactive member of the forum admin team was used to access the web-based MyBB admin console twice: on 16 February and again on 21 February. The account was used to create database backups, which were then downloaded and deleted. It also downloaded existing nightly full-backups of the database.

The Kodi team confirmed that the actual account owner did not perform these actions on the admin console, indicating that the staff member’s credentials were likely stolen. The stolen database contains all public forum posts, staff forum posts, private messages sent between users, and forum member data, including usernames, email addresses, and encrypted (hashed and salted) passwords generated by the MyBB (v1.8.27) software. While the passwords were hashed and salted, Kodi warns that all passwords should now be considered compromised. The admin team is planning a global password reset that will inevitably impact service availability.

Users must assume their Kodi forum credentials and any private data shared with other users through the user-to-user messaging system is compromised, warns Kodi’s announcement. If you have used the same username and password on any other site, you should follow the password reset/change procedure for that site.

In an update published earlier today, Kodi’s administrators informed the community that they are commissioning a new forum server despite seeing no evidence or signs of compromise on the existing systems. The forum will be redeployed using the latest available MyBB version. This comes with a heavy workload required to incorporate custom functional changes and backport security fixes, so a delay of “several days” is to be expected. The Kodi team plans to run penetration tests once everything is up and running again. They are calling professional auditors who could volunteer to donate some time and expertise to help them with this cybersecurity project.

What is the Thrilling Hacker Data Breach Auction and How Can I Access it?

The Thrilling Hacker Data Breach Auction is an underground marketplace where malicious actors trade stolen information from high-profile breaches. It grants access to a treasure trove of sensitive data, including the infamous breachforums database and private chats. Caution is advised as it operates covertly, and engaging with such activities may have serious legal and ethical implications.

Kodi Data Marketed on a Hacking Forum

The Kodi team says they disclosed the breach after learning that hackers were selling the stolen database online. KELA, a cyberintelligence company, informed IT Services that the “Kodi Community Forum” database was being sold in February on the now-defunct Breached hacking forum.

The seller, Amius, claimed they were selling a database dumped on February 15th, 2023, containing the information for 400,314 Kodi forum members, including the information for “many iptv resellers.” The seller was accepting offers privately through Telegram, so there is no information on the cost of the database.

Breached was a popular hacking and data leak forum known for hosting, leaking, and selling data obtained from breached companies, governments, and various organizations. The Breached site shut down after its founder and owner, Pompompurin, was arrested by the FBI. While another admin known as Baphomet attempted to keep the site operational, they later shut it down out of fear that law enforcement had access to the servers.

Update 4/12/23: Added info about where database was being sold